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Abstract 

An analysis of a recently proposed cryptosystem based on chaotic os- 
cillators and feedback inversion is presented. It is shown how the cryp- 
tosystem can be broken when Duffing's oscillator is considered. Some 
implementation problems of the system are also discussed. 



1 Introduction 

In recent years, a growing number of cryptosystems based on chaos have been 
proposed pQ, many of them fundamentally flawed by a lack of robustness and 
security. In the Letter [2], the authors have proposed a symmetric cryptosystem 
based on chaotic oscillators. More precisely, let N : Loo,, (K.+) — > Looe be a 
non-linear time- varying system, where Looe stands for the extended Loo- 
space on R + , and let Si and £2 be two signal generators which generate the 
time functions 1 1— > w\(t) and 1 1— > w^it), respectively. The encryption process is 
defined by adding the signal generator S2 to the output of the dynamic evolution 
of N. Explicitly, to encrypt a message defined by a train of pulses 1 1— > p(t), of 
suitable width and of amplitude zero or one, is necessary to compute the function 
u(t) = p(t)+wi(t), Vt > 0. Then, u(t) is applied to the system N and its output 
is added to W2(t). The ciphertext is then defined to be c(t) — (Nu)(t) + w^it), 
Vt > 0. 

The decryption process consists of the two signal generators, S± and S2, 
and a feedback system S(g,N), where N is the non- linear system used in the 
encryption protocol and g is the gain of the system. To decrypt a message c(t) , 
one subtracts W2(i) from c(t) and the result is the input to the system S(g, N). 
Its output, u(t), is a good, but noisy, approximation of u(t); also, the difference 
between w\(t) and u(t) gives p(t), which is a good, but noisy, approximation 
of p(t). Using a low-pass filter L(s) and a quantizer Q, the original message 
is obtained. In order to recover the original message exactly, L(s) should be 
designed carefully. Although the authors seem to base the security of their 
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cryptosystem on the chaotic behavior of the output of the non-linear system N, 
no analysis of security is included. 

In the present Letter we discuss the weaknesses of this system in Section [21 
and we analyze its practical implementation in Section 

2 Attacks to the cryptosystem 

In this section we show how to break the cryptosystem proposed in [2] when 
Dufhng's oscillator is used as the non-linear time- varying system 2 , §3.1], which, 
in fact, is the first example explained in detail. The main problem with this cryp- 
tosystem lies on the fact that the ciphertext is an analog signal, whose waveform 
depends on the system parameter values and the plaintext signal. Likewise, the 
detected signal before the quantizer depends on these same parameters. The 
study of these signals provides the necessary information to recover a good es- 
timation of the system parameter values and the correct plaintext. 

We consider the first example in §4.1], for Dufnng's oscillator, represented 

by: 

N : x(t) + 8x(t) - ax(t) + f3x{t) 3 = u(t), x(0) = 0, i(0) = 0. (1) 

In their example w\(t) = Acosut and W2(t) = 0. The key of the system is made 
by the oscillator's parameters (8, a,/?), and the signal generator's parameters 
(A,oj). Following the example given, we use a key formed by the following set 
of parameters: 

a = 10, = 100, 8=1, A = 1.5, uj = 3.76. (2) 

Duffing's oscillator is used operating in the chaotic region. This region is roughly 
characterized by the following values of the parameters: 

3 < a < 15, 40 < (3 < 250, 0.5 < 5 < 1.7, 1 < A < 2, 0.5 < u < 7. (3) 

The sensitivity to the parameter values is so low that the original plaintext can 
be recovered from the ciphertext using a receiver system with parameter values 
considerably different from the ones used by the sender. As a consequence, it 
is very economic to try different combinations of the parameters until a reason- 
able approximation is reached. Although the parameter values can be obtained 
with a very accurate precision, their knowledge is not necessary to recover the 
plaintext. 

We have found that the message can be decrypted even when [3 has an error 
of ±5%; 8 has an error from —30% to +60% and a has an absolute error of ±2 
integers; with respect to the original set of parameters |2j). 

In Fig. ^ we show the power spectral analysis of the example ciphertext 
signal. As is observed, the frequency of the forced oscillator is totally evident. 
The spectrum highest peak appears at the Si signal generator frequency of 
u> = 3.76. Thus, by simply examining the ciphertext, one of the elements of the 
key (u) is obtained. 

Next, the attacker uses a receiver for which A — 0, and the rest of the 
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parameters takes values from the following sets: 



a = {5,9,13}, 

/3 = {43, 47, 51, 56, 62, 68, 75, 82, 91, 100, 110, 



(4) 



120, 130, 145, 160, 180, 200, 220, 240}, 
6 = {0.7, 1.3}. 



(5) 
(6) 



This makes a total of 114 possible combinations, which should be tried one by 
one. To check whether the choice of the parameters is good, we look at the 
output of the low-pass filter L(s), which we call p(t). When the parameter 
values are slightly different from the right ones, then p(t) will look like a square 
signal summed with a pure sine. The frequency of this sine corresponds to 
the value of u> previously calculated from the spectrum of the ciphertext. The 
amplitude of this sine corresponds exactly to the value of A used by the sender. 

Next, the value of A just computed is used to regenerate the plaintext. Due 
to the low sensitivity to the parameter values, although the exact values are 
unknown, the deciphered plaintext signal will be equal (or very close) to the 
original one. In Fig. the recovered plaintext is depicted for the following 
parameter values: 



The first three values are taken from the equations (Q}-©. Although the pa- 
rameter errors are 10%, 0%, 30%, 6.66%, and 0%, respectively, the plaintext is 
correctly recovered. These values could be further refined by varying them in 
an effort to approximate p(t) to a square wave. 

3 Difficulties of practical implementation 

In this section we discuss the difficulties that this cryptosystem will face if it is 
practically implemented. 

3.1 Analog transmission 

The proposed cryptosystem seems to present serious problems in a real trans- 
mission, because the recovered signal at the receiving end of the transmission 
path will be very difficult to decrypt. 

Apparently, the authors have only implemented a software simulation of 
the complete encryption/decryption system, feeding the ciphertext (the output 
generated by the encryption system) directly as the input to the decryption 
system. The generators S\ and S2, part of the system key, look to be connected 
simultaneously and locally to both the encryption and decryption systems. 

In real world applications, however, things happen in a very different way. 
Ideal transmission lines introduce an unknown amount of attenuation and de- 
lay in the transmitted signal. Furthermore, real transmission lines introduce 
distortion and noise too. Moreover, wireless communication systems exhibit 
time-variable attenuation and delay. 

Thus, the input signal at the receiver end c'{t) and the transmitted signal 
c(t) will differ. In the most favorable case, if we assume that we are using an 
ideal line, the received signal will be c'{t) = kc(t + t), were k and r are the 
attenuation and delay of the line. 



a = 9, (3 = 100, 6 = 0.7, A = 1.4, uj = 3.76. 



(7) 
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3.1.1 Synchronization 

As the authors point out, most continuous chaotic cryptosystems described un- 
til now are based on the synchronization of two chaotic systems. The claimed 
novelty of the present cryptosystem relies on the lack of synchronization be- 
tween encryption and decryption; but this is an erroneous claim, because in the 
software simulations the authors have used a hidden synchronization mechanism 
consisting of the local and simultaneous connection of generators «Si and S 2 to 
both the encryption and decryption systems. 

In real world applications, given that transmission lines have limited band- 
width, when transmitting to a remote system, signal delay will take place. The 
delay amount may vary for different frequency components of the signal, depend- 
ing on the line impulsive response. Thus, the observed waveforms at sender and 
receiver ends may differ and it will be very difficult to estimate the right moment 
to start the receiving generators. 

Some measures should be taken to assure that both ends are using signal 
generators Si and S 2 with exactly the same phase in respect to the ciphertext. 
However, no mesure is considered by the authors. Hence the receiver end's 
generators will never generate the adequate signal. 

3.1.2 Attenuation 

Another factor to be considered is the line attenuation. No continuous trans- 
mission or storage system (cable, optical, magnetic or wireless) grants that the 
received or reproduced signal amplitude preserves the original amplitude. If 
the signal is transmitted over a switched network, the attenuation will change 
each time that a new connection is made. If the signal is transmitted over a 
wireless channel, the attenuation will vary depending on changing atmospheric 
conditions, changing reflections, and changing multipath. 

When transmitting a signal of known constant amplitude (e.g. square pulses 
or frequency modulated sinusoids) it is possible to equalize the received signal, 
restoring the correct amplitude level. But in the present the signal is 

chaotic, its amplitude is varying in an unpredictable fashion, so it is impossible 
any level restoring. 

Therefore, it will be impossible to subtract exactly w 2 at the receiver end. 
Hence, the signal r at the input of the decryption system feedback loop will be 
r(t) = J(t)-w 2 (t), i.e.: 

r(t) = k(Nu)(t + e) + kw 2 (t + e) - w 2 (t), (8) 

where e is the time inaccuracy in the determination of the right moment to start 
the receiving generators. Hence, the decrypted signal will be: 

y(t) « (ATV)(t) = {N-^kiNu^t + e) + kw 2 (t + e) - w 2 {t))){t). (9) 

As N is a nonlinear chaotic map and due to the sensitive dependence on the 
initial conditions that characterize chaos 3, p. 119], the decrypted signal y(t) 
will never match the plaintext p(t) . 

The recovered plaintext errors induced by the use of a real communication 
channel with restricted bandwidth, attenuation and/or noise are illustrated in 

Fig. El 
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Moreover, the authors seem to base the security of their cryptosystem on 
the chaotic behavior of N, although no evidence of that is shown. In any case, 
the chaotic profile of the output x(t) in Duffing's oscillator is not always 
guaranteed for every input u{t) = p(t) + wi(t), even in the chaotic range 
and the sensitive dependence on the initial conditions is diminished as they are 
kept to be fixed, x(0) = 0, x(o) = 0, in Duffing's equation (JIJ. 

3.2 Digital transmission 

If a discretization of the ciphertext is sent instead of the dynamic evolution of 
the system N, then there are two options. 

In the first one, the ciphertext is discretized only at the nodes i = 0, . . . , n, 
where n is the number of pulses of p(t) . Then, the ciphertext sent by the sender 
must be the 3-uples (x(tj), x(tj), x(ti)), i = 0, ...,n, since the receiver needs 
to know these values — and not only the x{ti) — in order to be able to decrypt 
the message, as the usual methods of discretization do not allow to obtain the 
values of the derivative at the nodes t{ in terms of the values of the function at 
such nodes. For example, if one uses the Runge-Kutta method (see 0J §163]) 
to solve x — f (t, x, x), then the values of the first derivative are given by 



x(t + h) = x(t ) + - (h + 2k 2 + 2k 3 + k 4 ) , (10) 

h=hf(t 0) x{t ),x{t )), (11) 

k 2 = hf (t a + ^h, x(t ) + ^hx{t ) + ^hk l7 x(t ) + l;k^j , (12) 

fc 3 = hf (t + i/i, x(t ) + ^hx(t ) + ^hk 2 ,x(t ) + ifc 2 ^j , (13) 

h = hf (t + h, x(t ) + hx(to) + ^hk 3 , x(t Q ) + k 3 ^j . (14) 

We remark on the fact that the values for the second derivative should be 
computed from the formula 

x(U) = f(U,x(U),x(U)), (15) 



where / is the function defining the dynamic system N. This fact implies 
that the transmission has a high factor expansion as every pulse of the original 
message is transmitted by means of a 3-uple of real numbers with a consistent 
number of decimals. 

The second option consists in computing a much more long list of values 
x(si), i = 0,..., 771, with m^$> n. In this case, the values for the first derivative 
can be obtained from the formulas above; but the second derivative should 
also be included in the transmission. Hence, in this case the ciphertext is 
(x(si), x(si)), i = 0, . . . , m. What is gained in not sending the first derivative is 
lost by the greater number of entries of the list. 

In any case, the values of the first and second derivatives cannot be computed 
by the usual approximate formulas 

w x{U +1 ) -x(U) (16) 
h 

... x(t i+2 ) - 2x(t l+1 ) + x(U) 

X{U) « ^5 ' 
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as they produce considerable errors in the decryption process due to the non- 
linear terms in N. 

4 Conclusion 

As a consequence of the previous analysis, the cryptosystem studied cannot work 
in practice because it is not using any synchronization mechanism and because 
it is not robust to real channel conditions. On the other hand, the cryptosystem 
is rather weak, since it can be broken by using a set of 114 parameter values 
only. The total lack of security, along with the lack of robustness, discourages 
the use of this algorithm for secure applications. 

Acknowledgements This work is supported by Ministerio de Ciencia y Tec- 
nologia of Spain, research grant TIC2001-0586. 
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Figure captions 



Average Power Spectral Density 
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Figure 1: Power spectral analysis of the ciphertext signal. The highest peak 
corresponds to the frequency of Si and lies at u> » 3.76. 




Figure 2: Plaintext recovery with inexact receiver parameter values. Time 
histories of: (a) plaintext; (b) recovered plaintext; (c) p(t). 
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Figure 3: Effects of a real communication channel: (a) plaintext; (b) recovered 
plaintext with channel bandwidth restricted to to = 6.28 rad/seg; (c) recovered 
plaintext with channel attenuation of 3 dB; (d) recovered plaintext with channel 
noise of —40 dB; (e) recovered plaintext with channel bandwidth restricted to 
u> = 9.42 rad/seg, attenuation of 0.5 dB and noise of —50 dB. The parameter 
values at the sender and receiver ends match exactly. 



